none
How remove a Callback Notify Routine of a determin RRS feed

  • Question

  • I'm newbie in kernel driver development and need remove a callback notify routine of a deteminated module (.sys file).

    I searched on web and found this (incomplete) example in a chinese forum that show how make this, but my goal is remove only PsSetCreateProcessNotifyRoutine, then from this (incomplete) example i made some adjusts where resulted on following code, but not know if i'm on right direction.

    Someone could give me a idea please?

    Thank you very much in advance.

    Here is my code, compiled with success using: VS2010Visual DDK and WDK 7600.16385.1

    https://pastebin.com/BjriqW4n

    status returns: 0xc000007a and only "FIRST" condition block is executed :(

    Thursday, December 21, 2017 9:17 AM